cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Employee+
Employee+

CheckPoint DAIP VPN get Peer Names

Hi Guys,

I'm trying to link the public IP address as shown in vpn tu to the object name, I know the objects are assigned an internal IP of 0.0.0.x, is this number consistent?

My main goal here is to analyse the VPN's public IP address and check when it changes as they are configured as DAIP on the 1430's, unfortunately the vpn sub commands don't seem to be able to give this link.

7 Replies

Re: CheckPoint DAIP VPN get Peer Names

The command is ts_db_tool that should be issued from management side

rs_db_tool
Description rs_db_tool is used to manage DAIP gateways in a DAIP database.
Syntax
# rs_db_tool [-d] <-operation <add <-name object_name> <-ip module_ip>
<-TTL Time-To-Live> >
# rs_db_tool [-d] <-operation fetch <-name object_name> >
# rs_db_tool [-d] <-operation <delete <-name object_name> >
# rs_db_tool [-d] <-operation <list> >
# rs_db_tool [-d] <-operation <sync> >

Employee+
Employee+

Re: CheckPoint DAIP VPN get Peer Names

Hi Marco,

Is there a similar command that can be executed from the gateway? and do would you happen to have example output of the rs_db_tool -operation list as I currently don't have cli access to the mdsm. And what does the -d flag do ?

0 Kudos

Re: CheckPoint DAIP VPN get Peer Names

the flag -d is for debug I suppose , anyway I don t know about security gateway but I guess the database for the dynamic object is hosted on the management server.

Anyway from vpn tu command you should be able to see (if you have a valid sa) something like that

Peer (dynamic) xxx.xxx.xxx.xxx SAs:

0 Kudos
Employee+
Employee+

Re: CheckPoint DAIP VPN get Peer Names

Hi Marco,

I built up a setup in my lab until I can get access to their manager, but it gives the exact information that I needed.

[Expert@vpn-test-mgmt:0]# rs_db_tool -operation list

----------------------------------------
Daip modules database - entries list
----------------------------------------

Entry # | Object name | IP | TTL
-------- ------------------------------ ------------------ -------
1 | Remote-GW-DAIP | 12.12.12.100 | 5198225
-------- ------------------------------ ------------------ -------

Marco Valenti wrote:

The command is ts_db_tool that should be issued from management side

 

rs_db_tool
Description rs_db_tool is used to manage DAIP gateways in a DAIP database.
Syntax
# rs_db_tool [-d] <-operation <add <-name object_name> <-ip module_ip>
<-TTL Time-To-Live> >
# rs_db_tool [-d] <-operation fetch <-name object_name> >
# rs_db_tool [-d] <-operation <delete <-name object_name> >
# rs_db_tool [-d] <-operation <list> >
# rs_db_tool [-d] <-operation <sync> >

0 Kudos
Employee+
Employee+

Re: CheckPoint DAIP VPN get Peer Names

yes I'm aware the vpn tu/ vpn shell will give me output of IKE SA and the dynamic IP of the 1430, but the trick is linking that to an object name.

and yes the -d is confirmed as debug flag found it on one of the documents.

0 Kudos
Employee+
Employee+

Re: CheckPoint DAIP VPN get Peer Names

So I've put together a script to capture the dynamic IP's if it is of interest to anyone, and the times that the ip address changes.

#!/bin/bash
today=$(date +%s)
cma="<CMA_NAME>"
outputFile="/home/admin/output.txt"
touch $outputFile

function checkIPs {
if [ -r /etc/profile.d/CP.sh ]; then
. /etc/profile.d/CP.sh
else
echo "Could not source /etc/profile.d/CP.sh"
exit
fi

mdsenv $cma

rs_db_tool -operation list 2>&1| tail -n +8 | head -n -2 | grep -v -- '------' | awk '/ / {print $3, $5, $7}' | \

#cleans up rs_db_tool output to what we need and pipes it to awk
while read fwName ipAddress age ; do \
#echo $fwName
#echo $ipAddress
#echo $age

if grep -Fwq "$fwName" "$outputFile"
#checks if the object names already exists in the output file
then
echo "Object Already Exists"
existingIPAddress=$(grep $fwName $outputFile | awk '{print $(NF-1)}')
#compares the devices previous ip address with the latest checked IP address, if different it records the new address and time.
if [ "$existingIPAddress" != "$ipAddress" ]
then
#echo "IP address does not matches"
sed -i "\,${fwName}, s,$, ${ipAddress}," $outputFile
sed -i "\,${fwName}, s,$, ${today}," $outputFile
fi

else
#echo "Object Does not exist"
echo "$fwName" "$ipAddress" "$today" >> "$outputFile"
fi

done

}

checkIPs

0 Kudos

Re: CheckPoint DAIP VPN get Peer Names

wonderful job thanks

0 Kudos